Bug 29569 - POST over HTTPS with verify client certificate
Summary: POST over HTTPS with verify client certificate
Status: RESOLVED DUPLICATE of bug 12355
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0-HEAD
Hardware: All All
: P3 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL: http://ers.msk.ru
Depends on:
Reported: 2004-06-15 09:59 UTC by Roman Emelyanov
Modified: 2004-11-16 19:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Roman Emelyanov 2004-06-15 09:59:48 UTC
I'm using POST over HTTPS with verify client certificate and found possible bug.
According to /CHANES:
>Changes with Apache 2.0.37
> *) allow POST method over SSL when per-directory client cert
>     authentication is used with 'SSLOptions +OptRenegotiate' enabled
>     and a client cert was found in the ssl session cache.
But server still write to log:
>[error] SSL Re-negotiation in conjunction with POST method not supported!
\nhint: try SSLOptions +OptRenegotiate
Then I apply patch below feature will be worked rigth.
### BEGIN DIFF ###
--- modules/ssl/ssl_engine_kernel.c     Tue Jun 15 13:20:46 2004
+++ modules/ssl/ssl_engine_kernel.c.orig        Tue Jun 15 13:38:17 2004
@@ -549,7 +549,7 @@
-    if (!renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {
+    if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {
         ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
                      "SSL Re-negotiation in conjunction "
                      "with POST method not supported!\n"
### END DIFF ###
Comment 1 Joe Orton 2004-07-07 14:09:25 UTC
I think this patch is reversed?  The current logic is 

  if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {

i.e. if a renegotiation is needed, and a quick renegotiation isn't possible, and
the request is a POST request, then log the error and return a 403.  Which makes

If a renegotiation is *not* needed, then the function does not attempt one anyway.  

Presuming this is a duplicate of 12355 unless there's anything subtle I'm missing.

*** This bug has been marked as a duplicate of 12355 ***